{
	"id": "321627ed-1e86-4ddf-86ab-f4f678f4f2ed",
	"created_at": "2026-04-06T00:09:54.983639Z",
	"updated_at": "2026-04-10T03:22:01.82958Z",
	"deleted_at": null,
	"sha1_hash": "f858687c58671c687319b0831a9b90ca6b99db2f",
	"title": "FTCODE Ransomware: New Version can Steal Data | Zscaler Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1047000,
	"plain_text": "FTCODE Ransomware: New Version can Steal Data | Zscaler Blog\r\nBy Rajdeepsinh Dodia, Amandeep Kumar, Atinderpal Singh\r\nPublished: 2020-01-16 · Archived: 2026-04-05 23:43:43 UTC\r\nRecently, the Zscaler ThreatLabZ team came across PowerShell-based ransomware called “FTCODE,” which\r\ntargets Italian-language users. An earlier version of FTCODE ransomware was being downloaded using a\r\ndocument file that contained malicious macros. In the recent campaign, the ransomware is being downloaded\r\nusing VBScript.\r\nFigure 1: FTCODE downloaders observed in the Zscaler cloud (Office documents in red and VBScripts in yellow)\r\nThe latest version we’ve seen in the Zscaler cloud contains version number 1117.1. We also came across this\r\nmalware with version numbers from 1001.7 to 1117.1. In this blog, we’ll describe the infection method and its\r\ntechniques for stealing credentials.\r\n \r\nTechnical details\r\nInfection starts with spam emails containing malicious macro documents and, more recently, containing links to\r\nVBScripts that further download a PowerShell script known as FTCODE ransomware. Once a user executes the\r\nVBScript, it executes the PowerShell script shown in the screenshot below.\r\nhttps://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities\r\nPage 1 of 11\n\nFigure 2: PowerShell script to download a decoy image and the ransomware\r\n \r\nThe script first downloads a decoy image into the %temp% folder and opens it trying to trick users into believing\r\nthat they simply received an image, but in the background, it downloads and runs the ransomware.\r\nFigure 3: Decoy image\r\n \r\nThe downloaded script is saved in %Public%\\Libraries\\WindowsIndexingService.vbs. The screenshot below\r\ndisplays the command-and-control (C\u0026C) request for downloading the VBScript.\r\n \r\nhttps://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities\r\nPage 2 of 11\n\nFigure 4: C\u0026C communication request to download VBScript\r\nPersistence\r\nFurther, the malware creates a shortcut file called windowsIndexingService.lnk in the victim’s startup folder, so it\r\nwill execute at every reboot. The shortcut file executes the %Public%\\Libraries\\WindowsIndexingService.vbs. It\r\nalso creates a scheduled task named WindowsApplicationService for executing the\r\nWindowsIndexingService.vbs file.\r\nFTCODE checks if the file \\%temp%\\quanto00.tmp exists. If the file exists and was created more than 30 minutes\r\nago, FTCODE will write the current time in the file; otherwise, it will exit the script. It also checks for the file\r\n%public%\\OracleKit\\w00log03.tmp that contains GUID; if it doesn’t find the file, it writes GUID into the file\r\nw00log03.tmp and changes the file attribute to hidden.\r\nC\u0026C communication\r\nThe malware sends information to its C\u0026C as shown in the screenshot below.\r\nhttps://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities\r\nPage 3 of 11\n\nFigure 5: Sending data to the C\u0026C\r\nver = 1117.1 version\r\nvid = vb5, specific campaign identifier\r\nguid = GUID \r\next =  first 6 characters of newly generated GUID (Extension of encrypted file)\r\nr1 = base 64 encoded (base 64 encode(encrypted (8 character GUID + 42 random characters)); Base 64\r\nencoded(encrypted((Random 23 + Random 11))))\r\nThe malware creates random characters and is encrypted using the RSA algorithm. The RSA key is hardcoded in\r\nthe script. Those randomly generated strings are used to generate a password.\r\nAfter getting a response from the server, the malware writes the current date-time into /%temp%/quanto00.tmp. If\r\nit doesn’t get any response, it will terminate itself. After that, it sends another post request to the C\u0026C server with\r\nthe \u0026status=start parameter as shown below and starts the encryption process.\r\n \r\nFigure 6: Sending status update to C\u0026C\r\nEncryption\r\nhttps://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities\r\nPage 4 of 11\n\nThe malware searches for all drives with at least 50kb of free space and starts encrypting the files with the\r\nextensions below.\r\nFigure 7: Extension list for encryption\r\n \r\nFTCODE generates a password using GUID and a random character set generated earlier. It uses Rijndael\r\nsymmetric key encryption to encrypt the 40960 bytes of each of the above extension files. The initialization vector\r\nis based on 11 randomly generated characters. \r\n \r\nFigure 8: Encryption code\r\nAfter encrypting files, FTCODE appends the extension to the “first 6 characters of newly generated GUID”\r\nand drops the ransom note \"READ_ME_NOW.htm\" in the directory that contains the encrypted files. The\r\npersonal ID in the ransom note is the newly generated GUID.\r\nhttps://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities\r\nPage 5 of 11\n\nFigure 9: Ransom note\r\n \r\nThe earlier FTCODE version’s encryption key was generated based on a hardcoded string \"BXCODE hack your\r\nsystem\" and randomly generated key. The earlier version’s initialization vector was based on the hardcoded string\r\n\"BXCODE INIT.\" The earlier version (1001.1) of FTCODE adds the .FTCODE extension after encryption. All\r\nversions use the same ransom note.\r\n \r\nStealer capability\r\nThe latest version of FTCODE added stealing functionality which was absent in earlier versions. It steals\r\ncredentials from the browsers below as well as email clients.\r\nInternet Explorer\r\nMozilla Firefox\r\nMozilla Thunderbird\r\nhttps://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities\r\nPage 6 of 11\n\nGoogle Chrome\r\nMicrosoft Outlook \r\nInternet Explorer\r\nThe script steals the stored credentials from the Internet Explorer web browser and gets the history folder using\r\n$shell.NameSpace(34). It takes history details and decrypts the stored credentials from information in the registry\r\nHKCU:\\Software\\Microsoft\\Internet Explorer\\IntelliForms\\Storage2. It also checks to see if the operating system\r\nis above Windows 7, then it fetches credentials from the vault as shown in the code below.\r\n \r\nFigure 10: Code to steal credentials from vault\r\nMozilla Firefox and Mozilla Thunderbird\r\nThe script checks the below paths and fetches the credentials from the Mozilla Firefox browser and the Mozilla\r\nThunderbird email client.\r\nSystemDrive\\Program Files\\Mozilla Firefox\r\nSystemDrive\\Program Files\\Mozilla Thunderbird\r\nSystemDrive\\Program Files (x86)\\Mozilla Firefox\r\nSystemDrive\\Program Files (x86)\\Mozilla Thunderbird\r\nGoogle Chrome\r\nThe script steals credentials from the Google Chrome browser from the file\r\n\\%UserProfile%\\AppData\\Local\\Google\\Chrome\\User Data\\*\\Login Data.\r\n \r\nhttps://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities\r\nPage 7 of 11\n\nFigure 11: Code to steal credentials from the Google Chrome browser\r\nMicrosoft Outlook\r\nThe script steals saved credentials by accessing the following registry key.\r\nHKCU:\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging\r\nSubsystem\\Profiles\\*\\9375CFF0413111d3B88A00104B2A6676\\*\r\nHKCU:\\Software\\Microsoft\\Office\\1[56].0\\Outlook\\Profiles\\*\\9375CFF0413111d3B88A00104B2A6676\\*\r\nNext, it sends a post request with the guid=temp_1235266078\u0026crederror=start chooseArch data\r\nto kind.its1ofakind[.]com. Further, it sends the stolen data to its C\u0026C as shown in the below screenshot.\r\n \r\nhttps://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities\r\nPage 8 of 11\n\nFigure 12: Sending stolen credentials to C\u0026C\r\nguid = hardcoded in script\r\ncred = stolen credentials\r\nThe stolen credentials are in the below format. Username and password are Base64 encoded.\r\nFormat: {\"URL\":[{\"Username\":\"Password\"},{\"Username\":\"Password\"}]\r\nFinally, after sending data, it sends a post request with guid=temp_1235266078\u0026crederror=SUCCESS.\r\nConclusion\r\nThe FTCODE ransomware campaign is rapidly changing. Due to the scripting language it was written in, it offers\r\nmultiple advantages to threat actors, enabling them to easily add or remove features or make tweaks much more\r\neasily than is possible with traditionally compiled malware. The Zscaler ThreatLabZ team continues to monitor\r\nthis threat and others to ensure that Zscaler customers are protected.\r\n \r\nIOCs:\r\nMd5\r\nd597ea78067725ae05a3432a9088caae\r\nc8a214f432fc9d74c913c02e7918fc0\r\nf96253923e833362ecac97729d528f8c\r\ncc0f64afa3101809b549cc5630bbd948\r\n328ce454698307f976baa909e5c646c7\r\n71a8d8c0543a99b8791e1cfaeeeb9211\r\nf0aa45bb9dd09cfac9d93427a8f5c72c\r\nd6da191bfc5966dd4262376603d4e8c1\r\ncc5946ce893ff37ace8de210923467a2\r\n7f5bb4529b95a872a916cc24b155c4cc\r\nedd5fbe846fa51f3b555185627d0d6c5\r\na2e88f9486cc838eae038a8ba32352f3\r\neab63ee2434417bc46466df07dc6b5b5\r\nfd46c05b99d00e11d34b93eae2c7ff2b\r\n98d2221445c2c8528cef06e4ef3c9e36\r\nURLs:\r\nluigicafagna[.]it\r\nhome[.]southerntransitions[.]net\r\nnomi[.]tugnutz[.]com\r\nhome[.]ktxhome[.]com\r\nhttps://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities\r\nPage 9 of 11\n\ndhol[.]rkeindustries[.]net\r\nway[.]securewebgateway[.]com\r\nstats[.]thomasmargiotti[.]com\r\npups[.]pupusas[.]net\r\nprint[.]impressnaples[.]com\r\nprint[.]impress-screen-printing[.]com\r\npower[.]hagertyquote[.]com\r\nmen[.]unifiedthreatmanagementutm[.]com\r\nkind[.]its1ofakind[.]com\r\nese[.]emarv[.]com\r\nehuxmtkxmdqy[.]top\r\nconnect[.]simplebutmatters[.]com\r\nconnect[.]heritageagencies[.]com\r\nceco[.]heritageins[.]co\r\ncdn[.]danielrmurray[.]com\r\nbxfmmtkxmdqy[.]top\r\nbiz[.]lotsofbiz[.]com\r\namq1mtkxmdqy[.]top\r\nahmwmtkxmdqy[.]top\r\nagvlmtkxmtq4[.]top\r\nagvlmtkxmdqy[.]top\r\nExplore more Zscaler blogs\r\nZscaler ThreatLabz 2024 Phishing Report\r\nThe Threat Prevention Buyer's Guide\r\nhttps://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities\r\nPage 10 of 11\n\nSource: https://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities\r\nhttps://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.zscaler.com/blogs/research/ftcode-ransomware--new-version-includes-stealing-capabilities"
	],
	"report_names": [
		"ftcode-ransomware--new-version-includes-stealing-capabilities"
	],
	"threat_actors": [],
	"ts_created_at": 1775434194,
	"ts_updated_at": 1775791321,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f858687c58671c687319b0831a9b90ca6b99db2f.pdf",
		"text": "https://archive.orkl.eu/f858687c58671c687319b0831a9b90ca6b99db2f.txt",
		"img": "https://archive.orkl.eu/f858687c58671c687319b0831a9b90ca6b99db2f.jpg"
	}
}